#6240 - CSP Error in Browsers

  • By
  • Added
  • 8 views
Identifier #6240
Issue type Minor issue (breaks specific functionality)
Title CSP Error in Browsers
Status Closed (cannot reproduce)
Handling member PDStig
Version V11 beta7
Addon core
Description When visiting a V11 Beta 7 site and opening the developer panel I see errors popping up.

content.js:1 Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' composr.app www.composr.app ipinfo.io www.ipinfo.io z-na.amazon-adsystem.com aax-us-east.amazon-adsystem.com validator.w3.org csp.withgoogle.com gstatic.com www.gstatic.com 'nonce-nyz8y6meb9bif'".

initListeners @ content.js:1
_core_category.htm:1 Unchecked runtime.lastError: The message port closed before a response was received.
_core_category.htm:1 Unchecked runtime.lastError: The message port closed before a response was received.
/404.htm:1 Failed to load resource: the server responded with a status of 404 ()


_____________________________________

The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.

To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.

If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.

⚠️ Allowing string evaluation comes at the risk of inline script injection.

1 directive
Source location Directive Status
content.js:1 script-src blocked
Learn more: Content Security Policy - Eval
Steps to reproduce

Seems Patrick can't reproduce but I am seeing the above errors on Edge/Chrome
Funded? No
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated